Jamf Pro pre stage enrollment: local account is not always created

doekman
New Contributor III

I am currently trying to fix a weird situation. We have a Jamf Pro install, and we use PreStage Enrollment for new machines. Old machines are wiped, re-installed, and treated as new machines.

Sometimes we encounter during the setup procedure, no option is given to let the end user create a local user account. We see these steps (from memory):

1. Choose WiFi
2. Authenticate via Google (Enrollment Customization)
3. All kinds of profiles are downloaded and installed
4. Computer is rebooted

Our settings:

PreStage Enrollments > Our company > General: Setup Assistant will not automatically advance, and all Setup Assistent Options are checked.

PreStage Enrollments > Our company > Account settings: A local (hidden) admin account will be created, and the local user account type is also an administrator.

But no Setup Assistant is started, so we end up with a computer that has a local admin account that is managed by Jamf Pro, but without a local account for the user. I also found some settings for user-initiated enrollment, but I'm not sure if those settings are applicable at this point.

I'm not really an MDM person. I'm more of a software developer, but I'm trying to help some colleagues who are stuck with this problem. So sorry if I'm missing something obvious.

 

 

2 REPLIES 2

AJPinto
Honored Contributor II

Your best option is to get one of these "problem" devices in your hands to troubleshoot with so you can check logs. Apple really has no way to view logs remotely. 

 

  • Check to make sure no network traffic is getting blocked
  • Auto advance only works on macOS 11+, try disabling it for a bit
  • You can open terminal (or at least used to be able to) from setup assistant. Check the MDM and install logs as well as any other relevant logs
  • Try to enable root in recovery. If you can that will let you log in to macOS with root for investigation
    • Assuming you cant log in with your hidden local account
  • Check the JAMF System logs (download them) and look for any errors around the enrollment time
    • enable debugging and statement logging as needed

 

doekman
New Contributor III

I'll try to get my hand on a faulty machine, as soon as it happens again. This one has been wiped and re-issued.